No announcement yet.

Users, Shares and Permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • Users, Shares and Permissions

    I am setting up a new AD in a single server environment and have been following some on-line guides to populating my AD. I have created a "Resources" folder under my domain name and inside that folder have created subfolders for desktops, laptops, printers, users. I've setup the users with a "Profile Path" of "\\server\users\%username%" and created a share on the d drive called "users". The Share Permissions on the "users" file is set for the "Everyone" Group with Allow Full Control, Change, and Read checked. Since I did not create my users inside the default "Users" AD container does "Everyone" apply to my users inside my "Resources" container? I've tried adding my Users folder and even my Resources to the Group or User with no success. Am I correct in thinking "Everyone" doesn't automatically include my Users folder? If so, what's the syntax for adding them? I've tried each of the examples in Windows gives.


  • #2
    Re: Users, Shares and Permissions

    The Everyone group in Microsoft Windows 2003 Server includes Authenticated Users and Domain Guests.

    As the user objects you have created are authenticated when they log on to your domain these are are classed as Authenticated Users.

    It is useful to think of organisational units from purely an administrative perspective, they are not used for security.
    MCSA 2000/2003


    • #3
      Re: Users, Shares and Permissions

      Let's get the terminology straight too.

      1. Folders contain files and other folders. They reside on disks and/or volumes.

      2. Inside AD, within your domain, you have objects, Organisational Units (OUs) and Containers. "Users", "Builtin" and "Computers" are CONTAINERS. When YOU create places for user and computer objects etc., they are OUs. They are used to give a logical structure to your AD and to allow the application of Group Policy to logical groupings of objects.

      The "Everyone" group literally contains EVERYONE. From within the entire forest, from outside the forest, EVERYONE. If you grant "Everyone" Full Control permissions on a file server in a domain and map a drive to it from a non-domain (workgroup based) machine, YOU STILL GET ACCESS. Use the "Authenticated Users" group instead, and you limit access to users in your AD Forest.

      P.S. There are several groups which are dynamic in membership and cannot be explicitly modified by you - these include "Everyone", "Authenticated Users", "Interactive" and several others.
      Last edited by Stonelaughter; 30th October 2007, 22:53.

      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you